DNS vulnerability exploits released
Now it's really high time to patch. Two exploits have appeared for the DNS security problem that can manipulate the cache of a vulnerable resolver. While the first illuminating details of the still hushed-up security hole were made public earlier this week, there is now apparently another trick to palm off faked name resolutions on victims. One of the exploits, for instance, can not only manipulate the resource records for a particular address, but it can also immediately substitute the complete entry for the nameserver responsible for a particular domain. This gives attackers the opportunity not only to redirect a particular address, such as www.example.com, to their server, but also all of the systems residing on the example.com domain.
Both attacks are based on the "birthday-attack" and numerous transaction IDs, as well as adding additional information into replies. According to meticulously commented exploits, the code was successfully tested against BIND 9.4.1 and 9.4.2. Behind the exploits is Metasploit exploit framework author H.D. Moore, who told US media that the tool needed one-to-two minutes to poison a cache. Kaminski, who actually discovered the hole, thinks this can be done in a matter of seconds.
For typical DNS server operators, updates from various vendors have been available since July 8th. While DSL routers also have a DNS function, they generally do not cache and they do not work recursively, but rather forward queries from clients to the provider's nameserver. Only users of the OpenWRT open router operating system could be in trouble, since according to an bug report, its standard DNS service, dnsmasq, is vulnerable to cache poisoning. Update 2.43 solves the problem, but because it was prepared in such haste it also contains an error that makes certain DHCP packets cause it to crash. In addition, OpenWrt users and other distributions, such as DD-Wrt may not respond very quickly with their own packets. Fortunately, the DNS problem only occurs when the query port option is activated. If it is not activated, dnsmasq is not vulnerable.
- CAU-EX-2008-0002, Exploit 1 from Computer Academic Underground
- CAU-EX-2008-0003, Exploit 2 from Computer Academic Underground
- DNS security problem details released, news on heise online UK
- Massive DNS security problem endangers the internet, report on heise online UK